Storm-0501 has been observed conducting multi-staged attacks targeting hybrid cloud environments across various U.S. sectors, including government and manufacturing. These attacks involve lateral movement from on-premises environments to the cloud, leading to data exfiltration, credential theft, and ransomware deployment. Storm-0501, a financially motivated cybercriminal group, exploits weak credentials, leverages commodity tools like Cobalt Strike, and uses ransomware, including the Embargo strain, to achieve its objectives.
Storm-0501 gains initial access by exploiting vulnerabilities in public-facing servers, such as Zoho ManageEngine (CVE-2022-47966) and Citrix NetScaler (CVE-2023-4966). After initial compromise, the group conducts extensive reconnaissance using native Windows tools and open-source utilities like OSQuery to discover high-value assets. They also deploy remote monitoring and management tools, such as AnyDesk and NinjaOne, to maintain persistence.
Credential access is achieved using tools like Impacket’s SecretsDump to extract credentials over the network, which are then used to compromise additional accounts, including Domain Admins. For lateral movement, Storm-0501 employs Cobalt Strike’s command-and-control capabilities to directly interact with endpoints. In one case, Cobalt Strike’s Beacon configuration was identified with a modified license ID “666.” The group also uses tools like Rclone to exfiltrate data, masquerading as legitimate processes by renaming binaries to known Windows names such as svhost.exe.
A significant aspect of Storm-0501’s tactics is their ability to pivot from on-premises environments to the cloud, specifically targeting Microsoft Entra ID (formerly Azure AD). They achieve this by compromising Entra Connect Sync accounts, which synchronize on-premises and cloud environments, allowing them to gain persistent backdoor access to the target’s cloud environment.